[SOLVED] How to manage HUGE log messages sent to ELK stack over-the-wire?

ZillaG · March 9, 2017, 9:45pm

I've been using ELK for centralized logging service, and rsyslog as my shipper. Rsyslog wraps the log events in a JSON format.

However, some of our application logs are HUGE, e.g., stack traces, and when Logstash receives them, the log is truncated, resulting in _jsonparsefailure. I've tried sending the logs either via UDP/UDP6 and TCP/TCP6 to no avail.

How have some of you manage to solve this? I'm sure I'm not the only one in this predicament.

Thanks!

ZillaG · March 10, 2017, 4:44pm

For rsysog users, see How to ship JSON logs via Rsyslog, especially the $MaxMessageSize setting. This along with the buffer_size setting solved my issues where large log events were being truncated.

warkolm · March 11, 2017, 6:07pm

Thanks for sharing this solution!

Topic		Replies	Views
Logstash can't handle large messages Logstash	4	2218	July 22, 2020
Rsyslog, Logstash parse Error when incoming log is too big Logstash	1	912	November 9, 2021
Logstash config parameter to handle large messages from rsyslog server Logstash	6	105	August 29, 2024
Json message not available in the ELK-stack Logstash	4	474	August 23, 2018
Error with Windows log Logstash	5	729	July 6, 2017

[SOLVED] How to manage HUGE log messages sent to ELK stack over-the-wire?

Related topics